An IBM logo displayed at CES, the world's largest annual consumer technology trade show, at The Venetian in Las Vegas, in January 2016. (Photo: Ethan Miller/Getty Images).

IBM and the Sovrin Foundation, a private-sector international non-profit organization, have announced IBM as a “founding Steward” of the Sovrin Network that utilizes the power of a “hybrid” distributed ledger - technology sometimes referred to as a Blockchain. It aims to address the current centralized identity system that costs individuals and businesses billions of dollars every year.

The news of IBM - aka "Big Blue" - becoming a “Steward” with the Sovrin Foundation, which is based in Salt Lake City, Utah, comes against a backdrop of banks spending around $1 billion a year on identity management solutions to keep data safe. And, businesses are also spending close to $70 on every password reset. So the initiative should not be taken lightly.

In a digital economy, individuals and businesses clearly need to establish secure, private and trusted transactions. However, the current centralized identity system is described as being flawed. And, evidencing this, more than 1,300 identity breaches have occurred since 2017 in the U.S., which have caused some 175 million identity records to be compromised according to the 2018 IBM X-Force Threat Index.

A recent study conducted by a cybersecurity firm Preempt has also revealed that a whopping 1 in 5 enterprise professionals use passwords weak enough to be hacked easily. Even worse, roughly 7% use extremely weak credentials such as "123456."

More concerning is that even stronger passwords can still be cracked with relative ease by experienced hackers. Even 2FA, which has been hailed as a silver bullet for password security, has displayed mixed results.

Self-Sovereign Digital Identity

Governed by a constitutional Trust Framework that is said to ensure its independence from government or industry influence, Sovrin codifies its efforts to provide what is described as “self-sovereign digital identity” for all.

But for the uninitiated, what do we mean exactly by self-sovereign identity? Well let’s clarify. It refers to a paradigm where an individual owns and maintains sole control over his or her own personal identity attributes. The identity is portable and cannot be taken away from the individual.

Adam Gunther, Director, Trusted Identity, IBM, clarifying matters in relation to self-sovereign digital identity, said: “This means that an individual’s information cannot be shared without their explicit consent at the time of the transaction. The individual decides who can access what information, when, and for how long, and can even later choose to revoke that privilege.”

Digitally-Signed Credentials

It is based on emerging standards from the World Wide Web Consortium (W3C), which standardize the format of digitally-signed credentials. These verifiable credentials enable the cryptographically secure, peer-to-peer exchange of identity information in a manner that mimics the way identity attributes are exchanged in the physical world.

And, the use of permissioned blockchains provides decentralized registration and discovery of the public keys needed to verify digital signatures. As such these two capabilities enable a new way to establish a global public utility for self-sovereign identity - lifetime portable digital identity that does not depend on any central authority and can never be taken away.

The confirmed involvement of IBM comes around seven months (September 14, 2017) after the Sovrin Foundation announced the launch of the provisional Sovrin Network, claimed at the time to be the “world's first” truly self-sovereign digital identity system.

This was offered by the Foundation as a free public utility “upon which any entity can build secure, private, and fast identity applications”, and run on validator nodes hosted by Sovrin stewards who have agreed to the legally binding Sovrin Provisional Trust Framework.

Phillip Windley, Chair of the Sovrin Foundation and an Adjunct Professor at Brigham Young University in Provo, Utah, commenting at the time said: “The promise of a global, public identity system that gives every person control over their online identity, and complete confidence can in the identities of all counterparties, is finally a reality.”

He added: “Self-sovereign identity has been sorely missing from the Internet since its inception. Thanks to the development of distributed ledger technology (DLT), and the powerful performance and privacy capabilities that Sovrin adds to it, this vexing shortcoming of the Internet’s foundational architecture is now remedied.”

And, a week prior to that development last September, Sovrin and Finland’s TrustNet, a consortium of members across the Finnish digital services industry and three research organizations (Aalto University, University of Oulu and Tampere University of Technology) funded by the Finnish Funding Agency for Innovation (Tekes), announced the trial of a new decentralized identity network.

That project, which was scheduled to commence last October, had an overall duration of 18 months. (Note: TrustNet is a research and pilot project for decentralized personal data management).

More recently, this February, VALID, a Swiss-based not-for-profit, open-source platform firm launching the next iteration of the Procivis digital identity platform, initiated a pre-sale crowdsale that was sold out on its first day.

Founded by Daniel Gasteiger in Zurich, it also came with the General Data Protection Regulation (GDPR), a new European Union privacy regulation, set be brought into force on May 25, 2018. It represents the most important change in data privacy regulation in some 20 years.

Daniel Gasteiger, CEO and Founder of VALID. (Source: VALID).VALID

The Sovrin Network & Stewards

The Sovrin network is operated by independent Stewards and utilizes the power of a hybrid DLT that is touted as being a fast, private and secure framework for providing every person, organization, and connected device a permanent identity with which to transact online and operate securely in everyday life.

The foundation operates as a global public utility designed to provide permanent, private and trustworthy identity for every entity on the Internet.

It was back in July 2017 that the Sovrin Foundation Board of Trustees voted unanimously to approve the Sovrin Provisional Trust Framework (PTF). And, trust is the primary benefit of Sovrin.

Along with other Stewards, IBM is to dedicate hardware, security and network capacity to assist in the operation of this self-sovereign identity network, which uses DLT or blockchain technologies, to provide digital credentials to prove identity. Big Blue’s current steward runs on the IBM Cloud and is deployed for high availability.

Data Breaches

Last year, more than 2.9 billion records were reported to have been breached, which while down on around 4 billion disclosed in 2016 is a significant number. And, given that malware can remain be undetected in your networks for up to 229 days, IBM X-Force provides analysis of suspicious files and submit files for investigation.

“While the number of records breached was still significant, ransomware reigned in 2017 as attacks such as WannaCry, NotPetya and Bad Rabbit caused chaos across industries without contributing to the total number of compromised records reported,” noted Gunther, who is based at IBM’s Research Triangle Park office in Durham, North Carolina.

For the second year in a row, the Financial Services industry suffered the most cyberattacks against it, accounting for 27% of attacks across all industries.

These damaging and costly security breaches are a consequence of the Internet being developed without a true identity layer, it is said. To address this infrastructure flaw, the Sovrin Network is touted as being “purpose-built to add the missing identity layer” to the Internet.

It is claimed to provide a “complete approach” to identity from the distributed ledger to device, making secure and private self-sovereign digital identity possible for the first time in history.

Dr. Windley for the Sovrin Foundation, asserted that in the wake of IBM’s participation that: “The Sovrin technology is poised to change the nature of identity interactions for untold millions of people, organizations and connected devices.”

Current Identify Verification Status

Today’s identity verification methods are flawed, and Sovrin and IBM’s work to promote self-sovereign identity is setting out to change that - by giving individuals more control over their personal identity and helping to reduce fraud.

Blockchain is claimed to be the perfect solution for exchanging information, allowing parties to do so only with others whom they have permissioned and in a secure, encrypted way.

Furthermore, this solution maps to the physical world. Sovrin stores credentials in a digital wallet, much as people have for decades stored identification cards. The difference is that credentials are protected from being stolen or otherwise seen by parties that can misuse them.

“IBM’s position as a leader in blockchain technology and their commitment to supporting and solving the problem of identity for all makes them a natural partner in this effort,” contended Dr. Windley.

IBM and the Sovrin Foundation share a common vision that every individual, organization, and connected device has its own truly independent digital identity.

Commenting in relation to the USPs and attributes that both parties bring to the table in the digital identities space, Gunther said: “IBM and Sovrin bring the ability to push identity to the edges of the network to devices, which put the identity owner in control of the flow of their identity or credentials.”

He added: “No personal identifiable information (PII) is ever stored on the public ledger. This creates the framework, at the edges, for each identity owner to provide or revoke their identity or credentials through private key management for each relationship. Moreover, each relationship has a unique identity that is in the control of the identity owner and can be revoked from any relationship at any time.”

With Sovrin providing a global public utility through a public trust framework, it offers an initial framework for business to accelerate adoption as baseline governance is already established through the public trust framework.

When considering identity networks, scale and performance are critical as identity is prevalent in everything they do. The Sovrin network leverages the Hyperledger Indy, which will allow identity to scale at the edges of the network, allowing identity owners to control the flow of their identity, and perform with low latency.

IBM is positioned to help enterprises and governments build identity infrastructure to engage with identity owners when issuing and verifying identity and credentials.

And, in the onboarding and adoption of identity networks such as Sovrin, interoperability is critical, which means being able to work in the present, but also in the future where there will be a world of many networks.

“IBM's plan and vision is to build for a world of many networks through interoperability and standards,” said Gunther. "In addition, IBM provides expertise with the IBM Garage, IBM Global Services, and Promontory, an IBM company, to help customers transform and innovate around these new models, such as transforming a bank's KYC process.”

Project Indy

To help achieve this vision and ensure these digital identities are interoperable at a global scale, Sovrin Foundation Stewards run open source DLT administered by the Hyperledger Foundation, as Project Indy, a project of the Hyperledger that was founded in May 2017. Based open standards, which allow it to communicate and interoperate with other blockchains, the project was specifically initiated to support self-sovereign identity on the blockchain.

And, the journey toward global decentralized self-sovereign identity begins with a strong commitment to standards and interoperability. This first of its kind self-sovereign identity network was created by an international team of experts, including IBM, across a diverse group of organizations.

Marie Wieck, General Manager, IBM Blockchain, separately stated in the wake of the news: “We believe that the adoption of blockchain is an opportunity for a new trust model to take hold where individuals and organizations can securely share private information and credentials without an intermediary."

She added: “This new model gives control back to the individual, who defines how personal information is shared and with whom. And, through our partnership with Sovrin, IBM can help individuals and organizations accelerate adoption of self-sovereign identity standards as a critical component for responsible data stewardship."

Certainly the emergence of distributed ledger technology is enabling the shift towards decentralized identities that allow individuals to have control of their personally identifiable information. In partnership with Sovrin, IBM asserted that can be “a catalyst” to help drive adoption and enable organizations worldwide to adopt and support self-sovereign identity.

IBM and the Sovrin Foundation serve as founding members of the Sovrin network. And, in collaboration with the Sovrin Foundation, the original founding member, Big Blue revealed that it will be able to invite other members (such as trust anchors) onto the Sovrin network to expand and issue identities.

The first responsibility of IBM will be to operate the Sovrin network by dedicating compute, network and security resources, which will be hosted on IBM Cloud. Big Blue will also serve as a trusted technology partner to provide enterprises and governments identity infrastructure to do business in the digital era.

This includes providing services to issue, verify, hold/own and manage digital identity and encrypted digital keys.

But as it stands IBM and the Sovrin Foundation are collaborating to ensure all individuals and organizations are equipped to exchange identity and establish relationships in a way that provides identity owners control over the flow of their identity.

To learn more about the Trust Framework underlying the Sovrin network see this link.

Follow Roger, an ex-FT writer who has penned various investment stories, on Twitter @AitkenRL, LinkedIn, Forbes, Google+. He won a State Street Institutional Press award in 2015.

I am a freelance financial journalist based in London and former FT staff writer covering stock exchanges and transaction services. In recent years I have written for a number of trade titles like Futures & Options World (FOW), magazines such as the FT’s Investors Chroni...